For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Anthony_178254's avatar
Anthony_178254
Icon for Nimbostratus rankNimbostratus
Nov 02, 2016

Complex logic -- Redirect to new URI based on IP in Data Group match.

Hi All,

 

Need help from the many iRule expert here. I have an iRule that currently validate server availability and send to a maintenance page and also have a rule to match based on URI access.

 

Thanks in advance!

 

What I need help is to add a new snippet to this code below to do the following. There are a few logic below that needs to follow the requirements. Please help to add to this iRule.

 

Summary: new URI is added to our external facing webpage called "/customer"

 

A. if you are coming from internet and going to the "/customers" URI A1. Check data group for IP match (data group named "InternalNetworks" = 10.0.0.0/8) A2. If your IP does not match the internal range, allow to go to "/customers" URI and do not redirect.

 

B. If coming from the internal network matching the "InternalNetworks" data group (10.0.0.0/8) to the same "/customers" URI link B1. Allow and redirect to a new URI based on your source IP being in the 10.0.0.0/8 range Redirect --> "/CustomerInternal"

 

Existing iRule 
when HTTP_REQUEST {
      if { [active_members MYPOOL-MYSITE-P443] < 1 } {
      HTTP::redirect "http://maintenance.mysite.com" }   
      switch -glob [HTTP::uri] {
         "*/admin1*" - 
         "*/admin2*" {
         if { !([matchclass [IP::client_addr] equals ADMIN-ALLLOWED-IP-LIST])} {
         reject
      `text`}
    }  
  }
}
application delivery
BIG-IP
iRules

2 Replies

  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Nov 03, 2016

    Prepared iRule based on the condition. Please let me know if working.

               when HTTP_REQUEST {
           if { [active_members MYPOOL-MYSITE-P443] < 1 } {
           HTTP::redirect "http://maintenance.mysite.com" }   
            switch -glob [HTTP::uri] {
            "*/admin1*" - 
            "*/admin2*" {
           if { !([matchclass [IP::client_addr] equals ADMIN-ALLLOWED-IP-LIST])} {
           HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
        else { HTTP::redirect "/CustomerInternal" }  
        }  
     }
}
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Nov 03, 2016

    Hi,

    you have only to add a new URI in your switch:

    when HTTP_REQUEST {
      if { [active_members MYPOOL-MYSITE-P443] < 1 } {
      HTTP::redirect "http://maintenance.mysite.com" }   
      switch -glob [HTTP::uri] {
         "/customers*"{
            if {[IP::addr [IP::client_addr]/8 equals 10.0.0.0]} {
                HTTP::redirect "/CustomerInternal"
            }
         } 
         "*/admin1*" - 
         "*/admin2*" {
            if { !([matchclass [IP::client_addr] equals ADMIN-ALLLOWED-IP-LIST])} {
               reject
        }
    }  
  }
}